Identifying whether an application is malicious

ABSTRACT

A first application can be presented for installation on a processing system. The first application can be scanned, via a static analysis implemented by a processor, to determine whether a user interface layout of the first application is suspiciously similar to a user interface layout of a second application installed on the processing system. If the user interface layout of the first application is suspiciously similar to the user interface layout of the second application installed on the processing system, the first application can be identified as being unsafe.

BACKGROUND

The present invention relates to identifying whether an application ismalicious.

Phishing attacks oftentimes are implemented by malicious partiesmasquerading as trustworthy entities in electronic communications. Atypical way of initiating a phishing attack is to install a maliciousapplication on a user's processing system. The malicious application maybe communicated to the processing system via an instant message, e-mail,or via a malicious or infected website the user accesses. Inillustration, a communication may be sent to the user, and suchcommunication can purport to be from popular social web site, auctionsite, financial institution, online payment processor, IT administrator,or the like. Such communication may provide a hyperlink to a maliciousURL, to which the communication directs the user, and the user mayselect believing that the URL is safe.

When requested to load the URL, the web browser may allow the maliciousapplication to be installed on user's processing system (e.g., a mobiledevice), external to a web browser that handles the URL visit requests.It may do so by firing an implicit Intent identified by the URL. Thisallows the malicious application to respond to the URL request using agraphical interface (GUI) that is essentially identical to that of thebrowser. The transition between the real browser and the maliciousapplication is smooth, and is thus likely to be missed by a benign user.For example, the malicious application can pretend to be the user's bankwebsite. The user then may enter into the malicious application accountdetails, such as a user name and password, which the maliciousapplication can retain. Malicious users then may use such details togain access to the user's account.

BRIEF SUMMARY

A method includes detecting a first application being presented forinstallation on a processing system. The method also can includescanning, via a static analysis implemented by a processor, the firstapplication to determine whether a user interface layout of the firstapplication is suspiciously similar to a user interface layout of asecond application installed on the processing system and to determine atotal number of possible user interface layouts of the firstapplication, wherein the user interface layout of the first applicationbeing suspiciously similar to the user interface layout of a secondapplication indicates the first application is attempting to emulate thesecond application. The method also can include, responsive to thestatic analysis being indeterminate as to whether the first applicationis suspiciously similar to the user interface layout of the secondapplication, responsive to the first application being executed,performing a runtime analysis of the first application to identify eachuser interface layout implemented by the first application, anddetermining whether each user interface layout implemented by the firstapplication is suspiciously similar to a user interface layout of thesecond application. The method also can include, responsive to theruntime analysis indicating that a total number of the first applicationuser interface layouts detected by the runtime analysis equals the totalnumber of possible user interface layouts determined by the staticanalysis, and that at least one of the first application user interfacelayouts is suspiciously similar to the user interface layout of thesecond application installed on the processing system, identifying thefirst application as being unsafe.

A processing system includes a hardware processor configured to initiateexecutable operations. The executable operations include detecting afirst application being presented for installation on a processingsystem. The executable operations also can include scanning, via astatic analysis implemented by a processor, the first application todetermine whether a user interface layout of the first application issuspiciously similar to a user interface layout of a second applicationinstalled on the processing system and to determine a total number ofpossible user interface layouts of the first application, wherein theuser interface layout of the first application being suspiciouslysimilar to the user interface layout of a second application indicatesthe first application is attempting to emulate the second application.The executable operations also can include, responsive to the staticanalysis being indeterminate as to whether the first application issuspiciously similar to the user interface layout of the secondapplication, responsive to the first application being executed,performing a runtime analysis of the first application to identify eachuser interface layout implemented by the first application, anddetermining whether each user interface layout implemented by the firstapplication is suspiciously similar to a user interface layout of thesecond application. The executable operations also can include,responsive to the runtime analysis indicating that a total number of thefirst application user interface layouts detected by the runtimeanalysis equals the total number of possible user interface layoutsdetermined by the static analysis, and that at least one of the firstapplication user interface layouts is suspiciously similar to the userinterface layout of the second application installed on the processingsystem, identifying the first application as being unsafe.

A computer program product system includes a computer-readable storagedevice, wherein the computer-readable storage device is not atransitory, propagating signal per se, having stored thereon programcode that, when executed, configures a processor to perform operations.The operations include detecting a first application being presented forinstallation on a processing system. The operations also can includescanning, via a static analysis implemented by a processor, the firstapplication to determine whether a user interface layout of the firstapplication is suspiciously similar to a user interface layout of asecond application installed on the processing system and to determine atotal number of possible user interface layouts of the firstapplication, wherein the user interface layout of the first applicationbeing suspiciously similar to the user interface layout of a secondapplication indicates the first application is attempting to emulate thesecond application. The operations also can include, responsive to thestatic analysis being indeterminate as to whether the first applicationis suspiciously similar to the user interface layout of the secondapplication, responsive to the first application being executed,performing a runtime analysis of the first application to identify eachuser interface layout implemented by the first application, anddetermining whether each user interface layout implemented by the firstapplication is suspiciously similar to a user interface layout of thesecond application. The operations also can include, responsive to theruntime analysis indicating that a total number of the first applicationuser interface layouts detected by the runtime analysis equals the totalnumber of possible user interface layouts determined by the staticanalysis, and that at least one of the first application user interfacelayouts is suspiciously similar to the user interface layout of thesecond application installed on the processing system, identifying thefirst application as being unsafe.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

FIG. 1 is a block diagram illustrating a system in which an applicationis validated in accordance with one embodiment disclosed within thisspecification.

FIG. 2 is a block diagram illustrating a processing system that performsvalidation an application in accordance with one embodiment disclosedwithin this specification.

FIG. 3 is a flowchart illustrating a method of identifying whether afirst application is malicious in accordance with another embodimentdisclosed within this specification.

FIG. 4 is another flowchart illustrating a method of identifying whethera first application is malicious in accordance with another embodimentdisclosed within this specification.

DETAILED DESCRIPTION

As will be appreciated by one skilled in the art, aspects of the presentinvention may be embodied as a system, method or computer programproduct.

Accordingly, aspects of the present invention may take the form of anentirely hardware embodiment, an entirely software embodiment (includingfirmware, resident software, micro-code, etc.) or an embodimentcombining software and hardware aspects that may all generally bereferred to herein as a “circuit,” “module” or “system.” Furthermore,aspects of the present invention may take the form of a computer programproduct embodied in one or more computer-readable medium(s) havingcomputer-readable program code embodied, e.g., stored, thereon.

Any combination of one or more computer-readable medium(s) may beutilized. The computer-readable medium may be a computer-readable signalmedium or a computer-readable storage medium. A computer-readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer-readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard diskdrive (HDD), a solid state drive (SSD), a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), an optical fiber, a portable compact disc read-onlymemory (CD-ROM), a digital versatile disc (DVD), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer-readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

A computer-readable signal medium may include a propagated data signalwith computer-readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer-readable signal medium may be any computer-readable medium thatis not a computer-readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device.

Program code embodied on a computer-readable medium may be transmittedusing any appropriate medium, including but not limited to wireless,wireline, optical fiber, cable, RF, etc., or any suitable combination ofthe foregoing. Computer program code for carrying out operations foraspects of the present invention may be written in any combination ofone or more programming languages, including an object orientedprogramming language such as Java™, Smalltalk, C++ or the like andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The program codemay execute entirely on the user's computer, partly on the user'scomputer, as a stand-alone software package, partly on the user'scomputer and partly on a remote computer, or entirely on the remotecomputer or server. In the latter scenario, the remote computer may beconnected to the user's computer through any type of network, includinga local area network (LAN) or a wide area network (WAN), or theconnection may be made to an external computer (for example, through theInternet using an Internet Service Provider).

Aspects of the present invention are described below with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer, other programmable data processing apparatus,or other devices create means for implementing the functions/actsspecified in the flowcharts and/or block diagram block or blocks.

These computer program instructions may also be stored in acomputer-readable medium that can direct a computer, other programmabledata processing apparatus, or other devices to function in a particularmanner, such that the instructions stored in the computer-readablemedium produce an article of manufacture including instructions whichimplement the function/act specified in the flowcharts and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer,other programmable data processing apparatus, or other devices to causea series of operational steps to be performed on the computer, otherprogrammable apparatus or other devices to produce a computerimplemented process such that the instructions which execute on thecomputer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowcharts and/or blockdiagram block or blocks.

For purposes of simplicity and clarity of illustration, elements shownin the figures have not necessarily been drawn to scale. For example,the dimensions of some of the elements may be exaggerated relative toother elements for clarity. Further, where considered appropriate,reference numbers are repeated among the figures to indicatecorresponding, analogous, or like features.

Arrangements described herein relate to validating an application todetermine whether the application is a malicious application. When anapplication is installed onto a processing system (e.g., a mobiledevice) a static analysis can be performed on the application todetermine whether the application is a phishing application configuredto maliciously phish for private user information, such as useridentifiers (IDs), passwords, etc. A phishing application may attempt tophish for private user information by registering access to one or moreinter-process communications that are sensitive (e.g. contain privateuser information), for example inter-process communications pertainingto a uniform resource identifier (URI) (e.g., a uniform resource locator(URL)). A phishing application also may attempt emulate a web browser inorder to capture private information and provide such information to amalicious entity.

If the static analysis determines that the application is a phishingapplication, the static analysis can generate an alert and/or disableoperation of the application. If the static analysis is indeterminate asto whether the application is phishing application, further runtimeanalysis can be provided to determine such. If the runtime analysisdetermines that the application is a phishing application, the runtimeanalysis can generate an alert and/or disable operation of theapplication.

FIG. 1 is a block diagram illustrating a system 100 in which a firstapplication 105 is validated in accordance with one embodiment disclosedwithin this specification.

The first application 105 may be presented to a processing system 110from an application source 115 for installation onto the processingsystem 110. In one arrangement, the application source 115 may be anelectronic communication (e.g., an instant message or electronic mail(e-mail)) provided to the processing system 110, for example to anelectronic communication client executed on the processing system 110.The application source 115 can provide to the processing system 110 thefirst application 105. For example, upon opening the electroniccommunication, the electronic communication may attempt to initiateinstallation of the first application 105 on the processing system 110,or present to the user a control via which the application source 115entices the user to select to initiate installation of the firstapplication 105 on the processing system 110. Upon selection of thecontrol by the user, an attempt to install the first application 105 onthe processing system 110 can be initiated. In another arrangement, theapplication source 115 may be a malicious or infected website indicatedin an electronic communication, for example via a hyperlink the user isenticed to select, that initiates installation of the first application105 when the user accesses the website, or downloads content from thewebsite. Still, there are numerous ways in which unscrupulous users mayattempt to infect the processing system 110 with the first application105 and the present arrangements are not limited in this regard.

When the first application 105 is presented to the processing system 110for installation, either before installation, during installation orafter installation of the first application 105, a security application120 can be executed by the processing system 110 to initiate a staticanalysis module 125 to perform static analysis of the first application105 in order to determine whether the first application 105 ismalicious. In illustration, the security application 120 can determinewhether the first application 105 contains malicious code, such as aroot kit or the like, and either block installation of the firstapplication 105, block installation of the root kit, or delete theinstallation of the first application 105 and/or root kit if such havealready been installed on the processing system 110. The firstapplication 105, however, may not contain a root kit, or the like,identifiable by the static analysis module 125, yet still may bemalicious.

The static analysis module 125 can scan the first application 105 todetermine whether the first application 105 contains a user interface(UI). If so, the static analysis module 125 can scan a layout of thefirst application's UI to determine whether the first application 105 issuspiciously similar to a UI layout of a second application 130installed on the processing system, such as a web browser. Inillustration, the static analysis module 125 can scan a declaration,manifest file or extensible markup language (XML) document of the firstapplication 105 to determine the UI layout configuration of the firstapplication 105, and scan a declaration, manifest file or XML documentof the second application 130 to determine the UI layout configurationof the second application 130, and compare the results of such scans. Ifthe UI layout of the first application 105 is suspiciously similar tothe UI layout of the second application 130, this may indicate that thefirst application 105 is attempting to emulate the second application130 in order to phish for private user data.

If the static analysis module 125 determines that the firstapplication's UI layout is suspiciously similar to the UI layout of thesecond application 130 (e.g., there is a close resemblance between suchproperties), the security application 120 can register the firstapplication 105 as potentially being unsafe. Further, the securityapplication 120 can block installation of the first application 105and/or generate an alert indicating that the first application 105 is amalicious application (or potentially is unsafe). The alert can bepresented to the user, for example via a pop-up message or word balloonand/or communicated to the processing system 110.

In some instances the static analysis module 125 may not be able tocompletely validate the first application 105. In other words, thestatic analysis may be indeterminate as to whether the UI layout of thefirst application 105 is suspiciously similar to the UI layout of thesecond application 130. This may be due to instances where some or allof the UI components of the first application 105 are built dynamicallybased on data values available only at runtime and/or stored in abackend data storage (e.g., a database). In instances where there may beruntime UI layout(s) of the first application 105 for which the layoutconfiguration is unknown when the first application 105 is installed,the static analysis module 125 can provide additional output data. Forexample, the static analysis module 125 can determine a number ofpossible UI runtime layouts of the first application 105, if suchinformation is available, and indicate such as additional output data.If there potentially may be additional UI runtime layouts of the firstapplication 105, but the total number of such additional UI runtimelayouts is unknown, the additional output data can indicate such.

The static analysis module 125 also can, based on the scan of the firstapplication 105, identify inter-process communications monitored, orsubscribed to, by the first application 105. The static analysis module125 can provide further output data indicating such inter-processcommunications.

The output data provided by the static analysis module 125 can beretrieved by the security application 120 and stored to amachine-readable storage, either temporarily or permanently. Such outputdata can be made available to a runtime analysis module 135 of thesecurity application 120 or other components of the processing system110.

If the static analysis module 125 is not able to completely validate thefirst application 105, the security application 120 can allow theprocessing system 110 to install and/or execute the first application105. In this regard, the first application 105 can be scanned by thestatic analysis module 125 prior to, or after, installation onto theprocessing system 110. Indeed, in one aspect, if the static analysismodule 125 determines that the first application 105 is malicious, thesecurity application 120 can prevent the first application frominstalling onto the processing system 110, though the presentarrangements are not limited in this regard.

Notwithstanding, the security application 120 can perform runtimeanalysis on the first application 105 when the first application 105executes. For example the security application 120 can initiate theruntime analysis module 135 to determine whether the UI layout providedby the first application 105, during execution, is suspiciously similarto the UI layout of the second application 130. If the runtime analysismodule 135 indicates that the user interface layout of the firstapplication 105 is suspiciously similar to the user interface layout ofthe second application 130, the security application 120 can generate analert indicating that the first application 105 is malicious, forexample as previously described.

Further, output data provided by the static analysis module 125 can beprocessed by the runtime analysis module 135 to perform runtime scanningof the first application 105 when the first application 105 is installedonto, and executed by, the processing system 110. In illustration, atruntime, inter-process communications between the second application 130and the first application 105 can be monitored by the runtime analysismodule 135. Such inter-process communications can be identified based onthe output data related to the static analysis performed on the firstapplication 105 by the static analysis module 125.

When the first application 105 provides a runtime UI layout having aconfiguration unknown to static analysis module 125 at the time of thestatic analysis, and the first application 105 attempts, or requests, torespond to an invitation by the second application 130 to process a URI,the target URI can be loaded within the second application 130 and itsUI layout properties can be recorded. In addition, the first application105 also can be loaded, and thus its UI layout properties can bescanned. Based on the UI layout properties of the first application 105and the second application 130 a determination can be made as to whetherthe first application 105 is malicious. In illustration, if the currentUI layout of the first application 105 is suspiciously similar to the UIlayout of the second application 130 (e.g., there is a close resemblancebetween the current UI layout properties of the second application 130and the UI layout properties of the first application 105), the firstapplication 105 can be identified as potentially being unsafe.Accordingly, an alert indicating that the first application 105 ismalicious can be generated by the security application 120. Further, thesecurity application 120 can prevent the first application 105 fromstoring or communicating information received from user inputs receivedby the processing system 110. If the current UI layout of the firstapplication 105 is not suspiciously similar to the UI layout of thesecond application 130, however, the processing system can register thecurrent UI layout of the first application 105 as being benign from aphishing perspective, though the application need not be fully certifiedas being safe.

Here, the additional information about other UI layouts supported by thefirst application 105 (if available) is relevant. If the firstapplication 105 provides a known number of possible UI layouts atruntime, at runtime the first application 105 can scan each of theapplication UI layouts of the first application 105 to compare such UIlayouts to the UI layout of the second application 130, in real time, asthey are implemented by the first application 105. For example, theruntime analysis module 135 can determine that a current UI layoutprovided by the first application 105 is not suspiciously similar to aUI layout provided by the second application 130. However, the firstapplication 105 may provide a next UI layout, for example in response todetecting an inter-process communication, and in response to suchinter-process communication the runtime analysis module 135 can comparethe next UI layout of the first application 105 to the UI layoutprovided by the second application 130. If these UI layouts aresuspiciously similar, the security application 120 can generate analert.

The processing system can track the total number of different UI layoutsof the first application 105 as compared to the UI layout of the secondapplication 130 as such comparisons take place. If none of the firstapplication 105 UI layouts are suspiciously similar (e.g., closelyresemble) the second application 130 UI layout, when the number of firstapplication 105 UI layouts scanned equals the known total number offirst application 105 UI layouts, the first application 105 can becertified as being safe. Otherwise, the current session can resumenormally, but the first application 105 is not certified as being safein general since there may be additional UI layouts of the firstapplication 105 that have not been compared to the web browser.

Further, either the static analysis module 125 and/or the runtimeanalysis module 135 can be configured to determine whether the firstapplication 105 is configured to attempt to, or request, access at leastone inter-process communication that contains private information. Whenthe first application 105 is configured to attempt to, or request,access the at least one inter-process communication that containsprivate information, the security application 120 can determine that thefirst application 105 is malicious, and generate a corresponding alert.

The comparison of the UI layout of the first application 105 to thesecond application 130 can be performed in any suitable manner,including use of custom code/tools and/or use of tools known in the art.In illustration, the Robotium test framework for Android™ can be used tocompare UI layout properties of the first and second applications 105,130 in the case that the processing system 110 uses the Android™operating system.

Inter-process communications can comprise, for example in the Android™operating system, passing of intent objects. As used herein, the term“Intent object” means a passive data structure holding an abstractdescription of an operation to be performed or a description of an eventthat has happened and is being announced. Intent objects provide a meansof communicating among different applications executing in an operatingsystem environment. In one aspect, an intent object can be an implicitintent object. An implicit intent object is an intent object that doesnot name a target component that should act upon the intent object. Inanother aspect, the intent object can be an explicit intent object. Anexplicit intent object is an intent object that specifically names atarget component that should act upon the intent object. In the iOS®operating system, the inter-process communications can include messagesexchanged by applications invoking other applications' URI protocols.Such messages may include message content.

As used herein, the term “suspiciously similar” means a level ofsimilarity between at least two UI layouts that is exact, or a level ofsimilarity such that the user does not recognize that the UI layouts aredifferent without more than a mere glance of the respective UI layouts.In illustration, when a UI layout of the first application 105 issuspiciously similar to a UI layout of the second application 130,without a direct comparison of the UI layouts, or the attention of theuser being drawn to identify whether they are different, the user maynot recognize that the UI layout of the first application 105 does notdirectly correspond to the UI layout of the second application 130, eventhough the user may have previously viewed the UI layout of the secondapplication 130. In other words, the UI layout of the first application105 may be confusingly similar to the UI layout of the secondapplication 130.

As used herein, the term “real time” means a level of processingresponsiveness that a user or system senses as sufficiently immediatefor a particular process or determination to be made, or that enablesthe processor to keep up with some external process.

FIG. 2 is a block diagram illustrating an exemplary implementation of aprocessing system 110 of FIG. 1 in accordance with an embodimentdisclosed within this specification. The processing system 110 isconfigured to identify a malicious application. The processing system110 can be a computer, a mobile computer, a laptop computer, a tabletcomputer, a smart phone, a personal digital assistant, a gaming device,an appliance, or any other processing system configured to executeapplications.

The processing system 110 can include at least one processor 205 coupledto memory elements 210 through a system bus 215 or other suitablecircuitry. As such, the processing system 110 can store program codewithin the memory elements 210. The processor 205 can execute theprogram code accessed from the memory elements 210 via the system bus215. It should be appreciated that the processing system 110 can beimplemented in the form of any system including a processor and memorythat is capable of performing the functions and/or operations describedwithin this specification.

The memory elements 210 can include one or more physical memory devicessuch as, for example, local memory 220 and one or more bulk storagedevices 225. Local memory 220 refers to RAM or other non-persistentmemory device(s) generally used during actual execution of the programcode. The bulk storage device(s) 225 can be implemented as a hard diskdrive (HDD), solid state drive (SSD), or other persistent data storagedevice. The processing system 110 also can include one or more cachememories (not shown) that provide temporary storage of at least someprogram code in order to reduce the number of times program code must beretrieved from the bulk storage device 225 during execution.

Input/output (I/O) devices such as a keyboard and/or keypad 230, adisplay and/or touch screen 235 and/or a pointing device 240. The I/Odevices can be coupled to the processing system 110 either directly orthrough intervening I/O controllers. For example, thedisplay/touchscreen 235 can be coupled to the processing system 110 viaa graphics processing unit (GPU), which may be a component of theprocessor 205 or a discrete device. One or more network adapters 245also can be coupled to processing system 110 to enable processing system110 to become coupled to other systems, computer systems, remoteprinters, and/or remote storage devices through intervening private orpublic networks. Modems, cable modems, and Ethernet cards are examplesof different types of network adapters 245 that can be used withprocessing system 110.

As pictured in FIG. 2, the memory elements 210 can store the componentsof the processing system 110, namely the security application 120, thesecond application 130 and the first application 105. Being implementedin the form of executable program code, the security application 120 andthe second application 130 can be executed by processing system 110(e.g., via the processor 205) and, as such, can be considered part ofprocessing system 110. The first application 105 can be processed by theprocessing system 110, but need not be considered as part of theprocessing system 110 until installed. In illustration, the firstapplication 105 can be stored, temporarily, in the memory elements 210while being processed by the processor 205, but need not be installed inthe operating system of the processing system 110, though, as noted, itcan be.

The security application 120 can be executed by the processing system110 (e.g., via the processor 205) to implement the operations andfunctions described herein as being performed by the securityapplication 120, including the static analysis module 125 and theruntime analysis module 135. Further, the second application 130 can bea web browser, though this need not be the case.

FIG. 3 is a flowchart illustrating a method 300 of identifying whether afirst application is malicious in accordance with another embodimentdisclosed within this specification. At step 302, a first applicationbeing presented for installation on a processing system can be detected.The first application can be received from a web site visited by a user,received in an electronic communication, or received from a websiteindicated in an electronic communication, for example via a URI (e.g., aURL).

At step 304, via a static analysis implemented via a processor, thefirst application can be scanned to determine whether a UI layout of thefirst application is suspiciously similar to a UI layout of a secondapplication installed on the processing system. The static analysis canbe performed prior to, or without, the first application being installedon the processing system, or when/after the first application isinstalled on the processing system.

At decision block 306, a determination can be made as to whether the UIlayout of the first application is suspiciously similar to the UI layoutof the second application installed on the processing system. If so, atstep 308 an alert can be generated indicating that the first applicationis malicious.

In the UI layout of the first application is not suspiciously similar tothe UI layout of the second application, at step 310, during executionof the first application by the processing system, a runtime analysis ofthe first application can be performed. The runtime analysis cancomprise determining whether the UI layout of the first application issuspiciously similar to the UI layout of the second application. At step312, responsive to the runtime analysis indicating that the UI layout ofthe first application is suspiciously similar to the UI layout of thesecond application, an alert can be generated indicating that the firstapplication is malicious. At step 314, the first application can beprevented from storing or communicating information received from userinputs received by the processing system.

In one arrangement, performing the runtime analysis can includedetermining whether the first application at runtime attempts to, orrequests, access at least one inter-process communication that containsprivate information. When the first application at runtime attempts, orrequests, to access the at least one inter-process communication thatcontains private information, a determination can be made that the firstapplication is malicious.

Performing the runtime analysis also can include determining, at runtimeof the first application, whether a current UI layout of the firstapplication is suspiciously similar to the UI layout of the secondapplication. When the current UI layout of the application is notsuspiciously similar to the UI layout of the second application, atruntime of the first application, a determination can be made as towhether a next UI layout of the first application is suspiciouslysimilar to the UI layout of the second application.

In illustration, scanning, via the static analysis implemented by theprocessor, the first application to determine whether the UI layout ofthe first application is suspiciously similar to the UI layout of asecond application installed on the processing system can includedetermining a total number of possible UI layouts of the firstapplication. In such arrangement, the method 300 further can include,responsive to the static analysis being indeterminate as to whether thefirst application is suspiciously similar to the UI layout of the secondapplication, when the first application is executed, performing aruntime analysis of the first application to identify each UI layoutimplemented by the first application, and determining whether each UIlayout implemented by the first application is suspiciously similar to aUI layout of the second application. The method 300 also can include,responsive to the runtime analysis indicating that a total number of thefirst application UI layouts detected by the runtime analysis equals thetotal number of possible UI layouts determined by the static analysis,and that each of the first application UI layouts is not suspiciouslysimilar to the UI layout of the second application installed on theprocessing system, identifying the application as being safe.

FIG. 4 is another flowchart illustrating a method 400 of identifyingwhether a first application is malicious in accordance with anotherembodiment disclosed within this specification. At step 402, a firstapplication being presented for installation on a processing system canbe detected. The first application can be received from a web sitevisited by a user, received in an electronic communication, or receivedfrom a website indicated in an electronic communication, for example viaa URI.

At step 404, via a static analysis implemented by a processor, the firstapplication can be scanned to determine whether the first application ismalicious. At decision block 406, a determination can be made as towhether the static analysis is indeterminate as to whether the firstapplication is malicious. If so, at step 408, during execution of thefirst application by the processing system, a runtime analysis of thefirst application can be performed to determine whether the firstapplication is malicious. At step 410, responsive to the runtimeanalysis indicating that the first application is malicious, an alertindicating that the first application is malicious can be generated.Referring again to decision block 406, if the determination indicatesthat the static analysis is not indeterminate as to whether the firstapplication is malicious, at step 412 whether the first application is amalicious can be indicated application based on the static analysis.

In one arrangement, performing the runtime analysis can includedetermining whether the first application at runtime attempts to, orrequests, access at least one inter-process communication that containsprivate information. When the first application at runtime attempts, orrequests, to access the at least one inter-process communication thatcontains private information, a determination can be made that the firstapplication is malicious. In another arrangement, performing the runtimeanalysis can include determining, at runtime of the first application,whether a current UI layout of the first application is suspiciouslysimilar to a UI layout of the second application. When the current UIlayout of the first application is suspiciously similar to the UI layoutof the second application, a determination can be made that the firstapplication is malicious

Like numbers have been used to refer to the same items throughout thisspecification. The flowcharts and block diagrams in the Figuresillustrate the architecture, functionality, and operation of possibleimplementations of systems, methods and computer program productsaccording to various embodiments of the present invention. In thisregard, each block in the flowcharts or block diagrams may represent amodule, segment, or portion of code, which comprises one or moreexecutable instructions for implementing the specified logicalfunction(s). It should also be noted that, in some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustrations, and combinations ofblocks in the block diagrams and/or flowchart illustrations, can beimplemented by special purpose hardware-based systems that perform thespecified functions or acts, or combinations of special purpose hardwareand computer instructions.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the invention. Asused herein, the singular forms “a,” “an,” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “includes,”“including,” “comprises,” and/or “comprising,” when used in thisspecification, specify the presence of stated features, integers, steps,operations, elements, and/or components, but do not preclude thepresence or addition of one or more other features, integers, steps,operations, elements, components, and/or groups thereof.

Reference throughout this specification to “one embodiment,” “anembodiment,” or similar language means that a particular feature,structure, or characteristic described in connection with the embodimentis included in at least one embodiment disclosed within thisspecification. Thus, appearances of the phrases “in one embodiment,” “inan embodiment,” and similar language throughout this specification may,but do not necessarily, all refer to the same embodiment.

The term “plurality,” as used herein, is defined as two or more thantwo. The term “another,” as used herein, is defined as at least a secondor more. The term “coupled,” as used herein, is defined as connected,whether directly without any intervening elements or indirectly with oneor more intervening elements, unless otherwise indicated. Two elementsalso can be coupled mechanically, electrically, or communicativelylinked through a communication channel, pathway, network, or system. Theterm “and/or” as used herein refers to and encompasses any and allpossible combinations of one or more of the associated listed items. Itwill also be understood that, although the terms first, second, etc. maybe used herein to describe various elements, these elements should notbe limited by these terms, as these terms are only used to distinguishone element from another unless stated otherwise or the contextindicates otherwise.

The term “if” may be construed to mean “when” or “upon” or “in responseto determining” or “in response to detecting,” depending on the context.Similarly, the phrase “if it is determined” or “if [a stated conditionor event] is detected” may be construed to mean “upon determining” or“in response to determining” or “upon detecting [the stated condition orevent]” or “in response to detecting [the stated condition or event],”depending on the context.

The corresponding structures, materials, acts, and equivalents of allmeans or step plus function elements in the claims below are intended toinclude any structure, material, or act for performing the function incombination with other claimed elements as specifically claimed. Thedescription of the embodiments disclosed within this specification havebeen presented for purposes of illustration and description, but are notintended to be exhaustive or limited to the form disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of theembodiments of the invention. The embodiments were chosen and describedin order to best explain the principles of the invention and thepractical application, and to enable others of ordinary skill in the artto understand the inventive arrangements for various embodiments withvarious modifications as are suited to the particular use contemplated.

1-24. (canceled)
 25. A method comprising: detecting a first applicationbeing presented for installation on a processing system; scanning, via astatic analysis implemented by a processor, the first application todetermine whether a user interface layout of the first application issuspiciously similar to a user interface layout of a second applicationinstalled on the processing system and to determine a total number ofpossible user interface layouts of the first application, wherein theuser interface layout of the first application being suspiciouslysimilar to the user interface layout of a second application indicatesthe first application is attempting to emulate the second application;responsive to the static analysis being indeterminate as to whether thefirst application is suspiciously similar to the user interface layoutof the second application, responsive to the first application beingexecuted, performing a runtime analysis of the first application toidentify each user interface layout implemented by the firstapplication, and determining whether each user interface layoutimplemented by the first application is suspiciously similar to a userinterface layout of the second application; and responsive to theruntime analysis indicating that a total number of the first applicationuser interface layouts detected by the runtime analysis equals the totalnumber of possible user interface layouts determined by the staticanalysis, and that at least one of the first application user interfacelayouts is suspiciously similar to the user interface layout of thesecond application installed on the processing system, identifying thefirst application as being unsafe.
 26. The method of claim 25, whereinthe runtime analysis indicates that each of the first application userinterface layouts is suspiciously similar to the user interface layoutof the second application installed on the processing system.
 27. Themethod of claim 25, wherein the first application provides a knownnumber of possible user interface layouts.
 28. The method of claim 25,wherein at runtime the first application provides a known number ofpossible user interface layouts.
 29. The method of claim 25, wherein theruntime analysis compares user interface layouts of the firstapplication to user interface layouts of the second application as thefirst application presents the user interface layouts.
 30. The method ofclaim 25, wherein: the runtime analysis further determines whether thefirst application is configured to attempt to, or request, access atleast one inter-process communication that contains private information;and identifying the first application as being unsafe further isresponsive to determining that the first application is configured toattempt to, or request, access the at least one inter-processcommunication that contains private information.
 31. The method of claim30, wherein the at least one inter-process communication comprisespassing of an intent object.
 32. A processing system comprising: ahardware processor configured to initiate executable operationscomprising: detecting a first application being presented forinstallation on a processing system; scanning, via a static analysis,the first application to determine whether a user interface layout ofthe first application is suspiciously similar to a user interface layoutof a second application installed on the processing system and todetermine a total number of possible user interface layouts of the firstapplication, wherein the user interface layout of the first applicationbeing suspiciously similar to the user interface layout of a secondapplication indicates the first application is attempting to emulate thesecond application; responsive to the static analysis beingindeterminate as to whether the first application is suspiciouslysimilar to the user interface layout of the second application,responsive to the first application being executed, performing a runtimeanalysis of the first application to identify each user interface layoutimplemented by the first application, and determining whether each userinterface layout implemented by the first application is suspiciouslysimilar to a user interface layout of the second application; andresponsive to the runtime analysis indicating that a total number of thefirst application user interface layouts detected by the runtimeanalysis equals the total number of possible user interface layoutsdetermined by the static analysis, and that at least one of the firstapplication user interface layouts is suspiciously similar to the userinterface layout of the second application installed on the processingsystem, identifying the first application as being unsafe.
 33. Theprocessing system of claim 32, wherein the runtime analysis indicatesthat each of the first application user interface layouts issuspiciously similar to the user interface layout of the secondapplication installed on the processing system.
 34. The processingsystem of claim 32, wherein the first application provides a knownnumber of possible user interface layouts.
 35. The processing system ofclaim 32, wherein at runtime the first application provides a knownnumber of possible user interface layouts.
 36. The processing system ofclaim 32, wherein the runtime analysis compares user interface layoutsof the first application to user interface layouts of the secondapplication as the first application presents the user interfacelayouts.
 37. The processing system of claim 32, wherein: the runtimeanalysis further determines whether the first application is configuredto attempt to, or request, access at least one inter-processcommunication that contains private information; and identifying thefirst application as being unsafe further is responsive to determiningthat the first application is configured to attempt to, or request,access the at least one inter-process communication that containsprivate information.
 38. The processing system of claim 37, wherein theat least one inter-process communication comprises passing of an intentobject.
 39. A computer program product comprising: a computer-readablestorage device, wherein the computer-readable storage device is not atransitory, propagating signal per se, having stored thereon programcode that, when executed, configures a processor to perform operationscomprising: detecting a first application being presented forinstallation on a processing system; scanning, via a static analysis,the first application to determine whether a user interface layout ofthe first application is suspiciously similar to a user interface layoutof a second application installed on the processing system and todetermine a total number of possible user interface layouts of the firstapplication, wherein the user interface layout of the first applicationbeing suspiciously similar to the user interface layout of a secondapplication indicates the first application is attempting to emulate thesecond application; responsive to the static analysis beingindeterminate as to whether the first application is suspiciouslysimilar to the user interface layout of the second application,responsive to the first application being executed, performing a runtimeanalysis of the first application to identify each user interface layoutimplemented by the first application, and determining whether each userinterface layout implemented by the first application is suspiciouslysimilar to a user interface layout of the second application; andresponsive to the runtime analysis indicating that a total number of thefirst application user interface layouts detected by the runtimeanalysis equals the total number of possible user interface layoutsdetermined by the static analysis, and that at least one of the firstapplication user interface layouts is suspiciously similar to the userinterface layout of the second application installed on the processingsystem, identifying the first application as being unsafe.
 40. Thecomputer program product of claim 39, wherein the runtime analysisindicates that each of the first application user interface layouts issuspiciously similar to the user interface layout of the secondapplication installed on the processing system.
 41. The computer programproduct of claim 39, wherein the first application provides a knownnumber of possible user interface layouts.
 42. The computer programproduct of claim 39, wherein at runtime the first application provides aknown number of possible user interface layouts.
 43. The computerprogram product of claim 39, wherein the runtime analysis compares userinterface layouts of the first application to user interface layouts ofthe second application as the first application presents the userinterface layouts.
 44. The computer program product of claim 39,wherein: the runtime analysis further determines whether the firstapplication is configured to attempt to, or request, access at least oneinter-process communication that contains private information; andidentifying the first application as being unsafe further is responsiveto determining that the first application is configured to attempt to,or request, access the at least one inter-process communication thatcontains private information.